IN THE CLAIMS 



This listing of claims will replace all prior versions, and listings, of claims in the 
application: 
Listing of Claims: 

1 . (Currently amended) A system for detecting intrusions, comprising: 
an analysis engine; and 

at least one sensor, configured to communicate with the analysis engine using at least one 
meta-protocol under which a 4-tuple is used to represent a data item to be sent to the analysis 
engine for analysis; 

wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the 
data item and represents the data item in a manner that enables the analysis engine to receive and 
use the data item regardless of how the data item is represented and organized on a platform 
associated with the sensor. 

2. (original) The system as recited in claim 1, wherein the meta-protocol includes a data 
packet, and the data packet includes the 4-tuple. 

3. (canceled) 

4. (canceled) 

5. (Currently amended) The system as recited in claim [[4]] \, wherein the analysis engine 
is configured to use the data item to detect an intrusion. 

6. (original) The system as recited in claim 1, wherein the at least one sensor is configured 
to communicate with the analysis engine using a plurality of meta-protocols. 

7. (original) The system as recited in claim 6, wherein each of the plurality of meta- 
protocols includes a 4-tuple. 
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8. (original) The system as recited in claim 6, wherein the analysis engine is configured to 
invoke the at least one sensor and specify a set of meta-protocols supported by the analysis 
engine, and wherein the at least one sensor is configured to select a meta-protocol from the set. 



9. (original) The system as recited in claim 8, wherein the set is a null set, and the at least 
one sensor is configured to use a default protocol. 

10. (original) The system as recited in claim 7, wherein the analysis engine is configured to 
specify a set of semantic codes representing data being requested by the analysis engine. 

11. (original) The system as recited in claim 10, wherein the at least one sensor is configured 
to supply data associated with the semantic codes, and wherein the at least one sensor further 
supplies data not associated with the semantic codes. 

12. (original) The system as recited in claim 11, wherein the analysis engine is configured to 
disregard the data not associated with the semantic codes. 

13. (original) The system as recited in claim 10, wherein the set of semantic codes is a null 
set, and the at least one sensor is configured to use a default set of semantic codes. 

14. (original) The system as recited in claim 1, wherein the analysis engine is located on a 
first host and an instance of the at least one sensor is located on a second host apart from the first 
host. 

15. (original) The system as recited in claim 14, comprising a second instance of the at least 
one sensor, wherein the second instance is located on a host apart from the second host. 

16. (original) The system as recited in claim 1, wherein the at least one sensor includes a 
sensor collector in communication with the analysis engine. 

17. (original) The system as recited in claim 1, further comprising a sensor collector 
disposed in a communication path between the analysis engine and the at least one sensor. 

18. (original) The system as recited in claim 1, wherein the analysis engine is configured to 
load a rule set while the analysis engine is in operation. 
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19. (original) The system as recited in claim 1, further comprising a second sensor, and 
wherein the analysis engine is configured to load a rule set for the second sensor while the 
analysis engine is in operation. 

20. (original) The system as recited in claim 19, wherein the rule set is configured to specify 
interactions of data from the second sensor with data from the at least one sensor. 

21. (original) The system as recited in claim 20, wherein the analysis engine is configured to 
ignore rules in the rule set that specify data not supplied by any sensor. 

22. (Currently amended) A method for detecting intrusions, comprising the steps of: 
providing an analysis engine; 

providing at least one sensor; and 

defining a meta-protocol including a 4-tuple for communication between the analysis 
engine and the at least one sensor; 

wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the 
data item and represents a data item to be sent to the analysis engine for analysis in a manner that 
enables the analysis engine to receive and use the data item regardless of how the data item is 
represented and organized on a platform associated with the sensor. 

23. (Currently amended) A computer program product for detecting intrusions on a host, the 
computer program product being embodied in a computer readable medium having machine 
readable code embodied therein for performing the steps of: 

providing an analysis engine; 
providing at least one sensor; and 

defining a meta-protocol including a 4-tuple for communication between the analysis 
engine and the at least one sensor; 

wherein the 4-tuple comprises a semantic type, data type, data type size, and value of the 
data item and represents a data item to be sent to the analysis engine for analysis in a manner that 
enables the analysis engine to receive and use the data item regardless of how the data item is 
represented and organized on a platform associated with the sensor. 
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